The EU’s proposed Cyber Resilience Act could spell disaster for the open source community, with critics describing the legislation as a ‘death knell’ for the industry.
Brian Fox, CTO at Sonatype, said that in its current form, the act risks “severely undermining” open source projects across the union and poses a serious threat to security and sustainability in the ecosystem.
Fox’s comments come ahead of a crucial EU vote on the future of the act on Wednesday, which could see developers held liable for software vulnerabilities.
Critics are now calling for lawmakers to caution restraint and have urged MEPs to vote against the bill in its current draft.
“In its current form, the Cyber Resilience Act risks being a death knell to open source, severely undermining both its security and sustainability,” he said.
“If the current course isn’t changed before the upcoming vote, we are at risk of an open source software crisis in the EU, which would be catastrophic for our digital economy, innovation, and security.
“We are calling on EU citizens to implore their MEPs to vote against the Act and help fix this mess. It is now the eleventh hour in the race to save open source.”
Punishing open source developers
A focal point of the Cyber Resilience Act centers around liability for open source developers. In its current iteration, developers may be held accountable for vulnerabilities in software.
Cybercriminals are resilient. How about you?
Understand how your adversaries operate and establish a clear roadmap for cyber security.
Given that open source software is used by businesses across the Union, critics argue that potential penalties and compliance requirements could prompt contributors to back out of projects. And long-term, this could seriously harm the ecosystem.
This aspect of the bill has led to a long-running dispute between the European open source community and legislators, Fox said, with back-and-forth discussions on the matter resulting in little change.
Earlier this year, an open letter signed by several industry stakeholders, including the Linux Foundation Europe, warned that the bill would have a “chilling effect” on open-source development and the community.
In April, Gabriele Columbro, general manager for the Linux Foundation in Europe, told ITPro that many contributors across Europe were worried they could be “slapped with lawsuits” and “decide not to put a project in the open” as a result.
Fox echoed this sentiment, suggesting that EU lawmakers have a “narrow outlook” on the benefits of open source and that they have been unwilling to compromise with the community in recent months.
“It is hugely worrying that legislators are ignoring the industry’s voice,” he said. “The EU has approached the issue of software security with a narrow outlook and has failed to address the concerns raised”.
Pro-innovation legislation
Fox specifically highlighted the US’ Cyber Security Strategy as an example of how legislators can work in closer alignment with the open source community.
Unveiled in February, the sweeping security legislation excluded liability for open source developers and projects. At the time, this was welcomed by industry stakeholders and hailed as a pro-innovation approach.
“This is in contrast to the attitude of the US government, which has consistently given the open source industry a voice in its cyber security initiatives. Some of us in the industry have been working for more than six months to try to prevent the impending open source disaster in the EU.”
